MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b789d4ddcafc503eff5ad068d03492ec3fe4644798c0ca68957a5405c7fc3c0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b789d4ddcafc503eff5ad068d03492ec3fe4644798c0ca68957a5405c7fc3c0d
SHA3-384 hash: 945fa75d3a6c9b611f908d50f6abc7d00699715280c6c564e4e0637c6c8fd81e76a61f45886288dbc3be7bb58dd9ed4f
SHA1 hash: f3f4810796075f58a604b41b261d91d8d48bb67a
MD5 hash: 6b0bd95c7dc7fe8a4f7972a485b36c1c
humanhash: kansas-may-alanine-purple
File name:SecuriteInfo.com.Trojan.DownLoader44.65070.11978.22262
Download: download sample
Signature Formbook
Create hunting rule
File size:899'072 bytes
First seen:2022-06-28 14:42:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f508f8ed3c13961c5e8589ed26cae7 (1 x RemcosRAT, 1 x Formbook, 1 x DBatLoader)
ssdeep 12288:6x0dPP6n/i7iR2Yif1F/RpYRbdZhC2NYrpkqa7cLp1HvgvCacSwu9:ymP3iR2YaF/RpYRhO2Orpkq711y
Threatray 14'071 similar samples on MalwareBazaar
TLSH T1FC156D62F2E08477D8E61A385D4B97B49927BD116D3CA9872BE53DCE3F34640342E293
TrID 75.7% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
13.2% (.OCX) Windows ActiveX control (116521/4/18)
4.9% (.EXE) InstallShield setup (43053/19/16)
1.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.4% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon 23b0d4d4c4dc30c3 (4 x RemcosRAT, 1 x Formbook, 1 x DBatLoader)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283965/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm keylogger
Link:
https://www.filescan.io/uploads/62bb137803fa367ea585200b/reports/73d97a29-becd-4aa7-8aeb-2bc535d8e33a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1827a72-83b3-4269-a848-91a6baa73e71
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1021301
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 653798 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 28/06/2022 Architecture: WINDOWS Score: 100 57 www.ppparadise.xyz 2->57 59 ppparadise.xyz 2->59 101 Snort IDS alert for network traffic 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 Antivirus detection for URL or domain 2->105 107 6 other signatures 2->107 11 SecuriteInfo.com.Trojan.DownLoader44.65070.11978.exe 1 17 2->11         started        signatures3 process4 dnsIp5 79 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49739, 49742 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->79 81 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49736, 49740 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->81 83 3 other IPs or domains 11->83 53 C:\Users\Public\Libraries\Ouqiciwzip.exe, PE32 11->53 dropped 55 C:\Users\...\Ouqiciwzip.exe:Zone.Identifier, ASCII 11->55 dropped 133 Writes to foreign memory regions 11->133 135 Allocates memory in foreign processes 11->135 137 Creates a thread in another existing process (thread injection) 11->137 139 Injects a PE file into a foreign processes 11->139 16 DpiScaling.exe 11->16         started        file6 signatures7 process8 signatures9 85 Modifies the context of a thread in another process (thread injection) 16->85 87 Maps a DLL or memory area into another process 16->87 89 Sample uses process hollowing technique 16->89 91 2 other signatures 16->91 19 explorer.exe 5 8 16->19 injected process10 dnsIp11 61 www.u6dwsth.xyz 154.213.29.16, 49897, 49898, 80 YISUCLOUDLTD-AS-APYISUCLOUDLTDHK Seychelles 19->61 63 www.bestselectrics.com 199.188.206.236, 49892, 80 NAMECHEAP-NETUS United States 19->63 65 14 other IPs or domains 19->65 49 C:\Program Files (x86)\...\cnmplbapdv1x.exe, PE32 19->49 dropped 51 C:\Users\user\AppData\...\cnmplbapdv1x.exe, PE32 19->51 dropped 109 System process connects to network (likely due to code injection or exploit) 19->109 111 Benign windows process drops PE files 19->111 113 Performs DNS queries to domains with low reputation 19->113 24 Ouqiciwzip.exe 16 19->24         started        28 Ouqiciwzip.exe 15 19->28         started        30 rundll32.exe 1 12 19->30         started        32 3 other processes 19->32 file12 signatures13 process14 dnsIp15 67 xi7qma.db.files.1drv.com 24->67 69 onedrive.live.com 24->69 75 3 other IPs or domains 24->75 115 Writes to foreign memory regions 24->115 117 Allocates memory in foreign processes 24->117 119 Creates a thread in another existing process (thread injection) 24->119 34 DpiScaling.exe 24->34         started        71 192.168.2.1 unknown unknown 28->71 73 xi7qma.db.files.1drv.com 28->73 77 4 other IPs or domains 28->77 121 Injects a PE file into a foreign processes 28->121 37 DpiScaling.exe 28->37         started        123 Tries to steal Mail credentials (via file / registry access) 30->123 125 Modifies the context of a thread in another process (thread injection) 30->125 127 Maps a DLL or memory area into another process 30->127 39 cmd.exe 30->39         started        41 cmd.exe 1 30->41         started        129 Injects code into the Windows Explorer (explorer.exe) 32->129 131 Tries to detect virtualization through RDTSC time measurements 32->131 43 explorer.exe 32->43         started        signatures16 process17 signatures18 93 Modifies the context of a thread in another process (thread injection) 37->93 95 Maps a DLL or memory area into another process 37->95 97 Sample uses process hollowing technique 37->97 99 Tries to harvest and steal browser information (history, passwords, etc) 39->99 45 conhost.exe 39->45         started        47 conhost.exe 41->47         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b789d4ddcafc503eff5ad068d03492ec3fe4644798c0ca68957a5405c7fc3c0d/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 14:43:08 UTC
File Type:
PE (Exe)
Extracted files:
68
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w6e5jxok7rid57222bunanes5q76izchtdamu2evpjkalr74hqgq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3734b280fc097fb346c6399723b4a16a3362ca0bdd29faf573759b3d2795a046
Formbook
4a71e4db2ded6a9e2418c5a47506cc2a0b42feb42dc32692e8ef3ee3c959b3a6
Formbook
57023cbc586b92ef899c3299c174c2689ba5b5e6e970976adde29d9977be9ddb
Formbook
72b86b3dfcc1b73f0d621e17e2924a2cd79dfd4a1cb4ba9353b66f3cf412a1c4
Formbook
9a2dd5f5209679864c24ed872163668724333fcf1904113348224d29c1740d84
Formbook
d141b9e994a78ea1081fd3ea0768e3c7f01d3f570910923a5ace448b98e63e14
Formbook
d9af61c7590a4850ff8a8f021ad2b9f7536757d658b281e883e758065637bdd5
Formbook
dc6383269f02e6ed2718f01a43a913e462c8fe49326259eabf9d3fea83fa0a26
Formbook
+ 14'061 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220628-r3j4mabgf9/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
ModiLoader Second Stage
Xloader Payload
ModiLoader, DBatLoader
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/8f7a5e7a-7922-4b78-9f61-2d0fdfbdf991/
SH256 hash:
b789d4ddcafc503eff5ad068d03492ec3fe4644798c0ca68957a5405c7fc3c0d
MD5 hash:
6b0bd95c7dc7fe8a4f7972a485b36c1c
SHA1 hash:
f3f4810796075f58a604b41b261d91d8d48bb67a
Link:
https://www.unpac.me/results/8f7a5e7a-7922-4b78-9f61-2d0fdfbdf991/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b789d4ddcafc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/b789d4ddcafc503eff5ad068d03492ec3fe4644798c0ca68957a5405c7fc3c0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283965/

Comments